Hello, Bhasker C V a écrit : > > Q1) > I came to understand that the first rule to take the hit is the > PREROUTING nat table (after the mangle).
This is awfully phrased. PREROUTING is a chain, or more exactly are chains which exist in several tables : raw, mangle and nat (in traversal order). Each chain of each table can contain rules. Each table is optional, so the PREROUTING chain of the nat table may be the first, second or third chain hit by an incoming packet. Note that only packets creating a new connection (therefore having the state NEW) hit the chains in the nat table. > So in case I want to do a DNAT of > input packets to one of the interfaces in another machine on the same > network as the router, then, I can apply a DNAT rule in the PREROUTING. Why "so" ? DNAT of incoming packets must be performed in the PREROUTING chain of the nat table, that's all. This is unrelated to the above. > But if I want to also select that the packet must be DNAT'ed only if > the input is from a specific ip address, then applying the DROP rule for > 'anything other-than' type of packets is not effective in the INPUT chain > since the packet traverses the routing decision and goes into the FORWARD > chain and goes outgress... Are you talking about DNAT or filtering ? Deciding what to DNAT or not and deciding what to ACCEPT or DROP/REJECT are two different and independent tasks, performed in different tables and chains. "DNAT only packets from some source address" is different from "ACCEPT only packets from some source address". > So out of many experts here, I just wanted to take an advice on where to > keep the DROP/REJECT firewall rules ? In the INPUT, FORWARD and OUTPUT chains of the filter table. > Q2) > I was guessing from the man pages of iptables that I can give multiple > source ip addresses in a single stretch by seperating them with a ',' . No, you can't. Where in the man page did you guess this from ? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d571830.8000...@plouf.fr.eu.org
